How to work with PH_SMSG_* functions in 4.2.x

[eduard41]

Hello everyone, as the post title states I'm looking for information on how to work with PH_SMSG_* functions - more correctly how to get the opcodes for functions with such prefix. You see, the problem I encounter is that in client ver 4.0.6 you could follow xref to the handler function in IDA(by doing so you could find special hex values and offsets), be it a special handler or an regular one. This is no longer true for clients ver 4.2.x - you can only follow xref for special handlers, regular ones no longer have xref's pointing to them. So, the big question is, how to get the opcodes for regular handlers if xref no longer for them?

Thanks to whomever answers the question ^^

[jjaa]

They're being *******s and encrypting/obfuscating the address. This means that IDA cannot pickup any references.

if you look at 008A30A0 that registers the packet handlers, you will see references to a table of cont values 00BAC788. These are then used to generate the address with the opCode from the packet. Like this.
addr = constValue - ((opCode | (opCode << 16)) ^ 0x62A3A31D)
Unfortunately this does mean you need the opCode for each packet...

[Ricky008]

Hey edu do a search on Google for reply. Sorry for no help.

Change is inevitable... except from vending machines

[LordJZ]

You can use my reference table for build 14333. It misses only some lobby opcodes.

http://www.ownedcore.com/forums/worl...ml#post2095863

[eduard41]

jjaa, thanks for pointing in the right direction ^^, I've to got just one more question, judging from the equation addr = constValue - ((opCode | (opCode << 16)) ^ 0x62A3A31D) we cannot reverse it to spit out needed things because we have two unknown variables in it : opCode & addr, so how do you look up opcode? Sorry If I sound dumb, its still early morning in my country and I'm sleepy


LordJZ, thanks for the link, will use your table for reference.

[jjaa]

The issue is getting the opCode. You need the opCode that is sent from the server. Not the one that is used to register the packet. For example, the server sends the packet with the opCode 0x2A27 that is decompressed (maybe not the best word but it does shit to it) by

newOpCode = opCode & 1 | ((opCode & 0x1C | (((opCode & 0xC0) | ((opCode & 0x1C00 | (opCode >> 1) & 0x6000) >> 2)) >> 1)) >> 1)

so newOpCode is 0x83 which gives us the encrypted address at
clientConnectionThing+0x83*4+0x560
which is 0x490EB86A.

Now we go
addr = 0x490EB86A- ((0x2A27 | (0x2A27 << 16)) ^ 0x62A3A31D)
and the handler/addr is 0x8a2f30

The annoying thing is that you don't know 0x2A27 until the packet is sent and afaik you cannot reverse the 0x2A27 -> 0x83 operation because the bit-wise AND's destroy information about the opCode.

[MaiN]

The issue is getting the opCode. You need the opCode that is sent from the server. Not the one that is used to register the packet. For example, the server sends the packet with the opCode 0x2A27 that is decompressed (maybe not the best word but it does shit to it) by

newOpCode = opCode & 1 | ((opCode & 0x1C | (((opCode & 0xC0) | ((opCode & 0x1C00 | (opCode >> 1) & 0x6000) >> 2)) >> 1)) >> 1)

so newOpCode is 0x83 which gives us the encrypted address at
clientConnectionThing+0x83*4+0x560
which is 0x490EB86A.

Now we go
addr = 0x490EB86A- ((0x2A27 | (0x2A27 << 16)) ^ 0x62A3A31D)
and the handler/addr is 0x8a2f30

The annoying thing is that you don't know 0x2A27 until the packet is sent and afaik you cannot reverse the 0x2A27 -> 0x83 operation because the bit-wise AND's destroy information about the opCode.

Code:

0x2233 -> 0x9
0x223A -> 0xC
0x223B -> 0xD
0x226A -> 0x14
0x226F -> 0x17
0x2276 -> 0x1A
0x227A -> 0x1C
0x22AA -> 0x24
0x22AB -> 0x25
0x22AE -> 0x26
0x22AF -> 0x27
0x22B6 -> 0x2A
0x22BA -> 0x2C
0x22F3 -> 0x39
0x22FB -> 0x3D
0x22FF -> 0x3F
0x2622 -> 0x40
0x2627 -> 0x43
0x2632 -> 0x48
0x263B -> 0x4D
0x2666 -> 0x52
0x267B -> 0x5D
0x26A3 -> 0x61
0x26AF -> 0x67
0x26B6 -> 0x6A
0x26EA -> 0x74
0x26EB -> 0x75
0x26EE -> 0x76
0x26EF -> 0x77
0x26F6 -> 0x7A
0x26FB -> 0x7D
0x26FF -> 0x7F
0x2A27 -> 0x83
0x2A37 -> 0x8B
0x2A3F -> 0x8F
0x2A6B -> 0x95
0x2A76 -> 0x9A
0x2A7A -> 0x9C
0x2A7F -> 0x9F
0x2AAA -> 0xA4
0x2AB7 -> 0xAB
0x2ABA -> 0xAC
0x2ABF -> 0xAF
0x2AF7 -> 0xBB
0x2AFF -> 0xBF
0x2E3A -> 0xCC
0x2E3E -> 0xCE
0x2E3F -> 0xCF
0x2E66 -> 0xD2
0x2E67 -> 0xD3
0x2E6E -> 0xD6
0x2E7A -> 0xDC
0x2EA2 -> 0xE0
0x2EA7 -> 0xE3
0x2EAA -> 0xE4
0x2EBB -> 0xED
0x2EE7 -> 0xF3
0x2EEA -> 0xF4
0x2EFB -> 0xFD
0x3227 -> 0x103
0x322E -> 0x106
0x3232 -> 0x108
0x326B -> 0x115
0x326E -> 0x116
0x326F -> 0x117
0x3276 -> 0x11A
0x327F -> 0x11F
0x32B3 -> 0x129
0x32E7 -> 0x133
0x32F7 -> 0x13B
0x3623 -> 0x141
0x3626 -> 0x142
0x362A -> 0x144
0x3632 -> 0x148
0x366A -> 0x154
0x367A -> 0x15C
0x367F -> 0x15F
0x36A2 -> 0x160
0x36AB -> 0x165
0x36BA -> 0x16C
0x36E6 -> 0x172
0x36F6 -> 0x17A
0x3A2A -> 0x184
0x3A32 -> 0x188
0x3A36 -> 0x18A
0x3A3A -> 0x18C
0x3A63 -> 0x191
0x3A73 -> 0x199
0x3A76 -> 0x19A
0x3AB7 -> 0x1AB
0x3ABE -> 0x1AE
0x3ABF -> 0x1AF
0x3AEE -> 0x1B6
0x3AF2 -> 0x1B8
0x3AF3 -> 0x1B9
0x3E2E -> 0x1C6
0x3E36 -> 0x1CA
0x3E3E -> 0x1CE
0x3E67 -> 0x1D3
0x3E6B -> 0x1D5
0x3E6F -> 0x1D7
0x3E76 -> 0x1DA
0x3EAF -> 0x1E7
0x3EB6 -> 0x1EA
0x3EBE -> 0x1EE
0x3EE2 -> 0x1F0
0x3EF2 -> 0x1F8
0x3EF3 -> 0x1F9
0x3EFA -> 0x1FC
0x3EFB -> 0x1FD
0x622B -> 0x205
0x622E -> 0x206
0x623A -> 0x20C
0x627A -> 0x21C
0x62BA -> 0x22C
0x62BF -> 0x22F
0x62E6 -> 0x232
0x62FB -> 0x23D
0x62FE -> 0x23E
0x662B -> 0x245
0x6636 -> 0x24A
0x663F -> 0x24F
0x6662 -> 0x250
0x6666 -> 0x252
0x666E -> 0x256
0x6672 -> 0x258
0x6673 -> 0x259
0x6677 -> 0x25B
0x66A3 -> 0x261
0x66AB -> 0x265
0x66AE -> 0x266
0x66AF -> 0x267
0x66B3 -> 0x269
0x66BF -> 0x26F
0x66E2 -> 0x270
0x66F3 -> 0x279
0x66FA -> 0x27C
0x66FB -> 0x27D
0x6A22 -> 0x280
0x6A23 -> 0x281
0x6A2A -> 0x284
0x6A2F -> 0x287
0x6A36 -> 0x28A
0x6A7B -> 0x29D
0x6AA3 -> 0x2A1
0x6AA6 -> 0x2A2
0x6AAE -> 0x2A6
0x6AB6 -> 0x2AA
0x6AB7 -> 0x2AB
0x6ABA -> 0x2AC
0x6AEF -> 0x2B7
0x6AF6 -> 0x2BA
0x6AFE -> 0x2BE
0x6AFF -> 0x2BF
0x6E33 -> 0x2C9
0x6E3B -> 0x2CD
0x6E62 -> 0x2D0
0x6E6A -> 0x2D4
0x6E6F -> 0x2D7
0x6E73 -> 0x2D9
0x6E76 -> 0x2DA
0x6E7B -> 0x2DD
0x6EAE -> 0x2E6
0x6EAF -> 0x2E7
0x6EBA -> 0x2EC
0x6EBF -> 0x2EF
0x6EE2 -> 0x2F0
0x6EE6 -> 0x2F2
0x6EE7 -> 0x2F3
0x6EEA -> 0x2F4
0x7222 -> 0x300
0x722A -> 0x304
0x7236 -> 0x30A
0x7237 -> 0x30B
0x726A -> 0x314
0x726F -> 0x317
0x7273 -> 0x319
0x7276 -> 0x31A
0x7277 -> 0x31B
0x727E -> 0x31E
0x727F -> 0x31F
0x72A3 -> 0x321
0x72A7 -> 0x323
0x72AA -> 0x324
0x72BF -> 0x32F
0x72E7 -> 0x333
0x72EA -> 0x334
0x72FA -> 0x33C
0x7623 -> 0x341
0x7626 -> 0x342
0x762F -> 0x347
0x763E -> 0x34E
0x7667 -> 0x353
0x766B -> 0x355
0x766E -> 0x356
0x766F -> 0x357
0x76A6 -> 0x362
0x76A7 -> 0x363
0x76AA -> 0x364
0x76B6 -> 0x36A
0x76BE -> 0x36E
0x76E3 -> 0x371
0x76E7 -> 0x373
0x76EE -> 0x376
0x76F6 -> 0x37A
0x76FE -> 0x37E
0x7A27 -> 0x383
0x7A2A -> 0x384
0x7A2B -> 0x385
0x7A2F -> 0x387
0x7A36 -> 0x38A
0x7A3E -> 0x38E
0x7A6F -> 0x397
0x7A77 -> 0x39B
0x7AA2 -> 0x3A0
0x7AAB -> 0x3A5
0x7ABE -> 0x3AE
0x7AE6 -> 0x3B2
0x7AEA -> 0x3B4
0x7AF6 -> 0x3BA
0x7AFA -> 0x3BC
0x7AFE -> 0x3BE
0x7E26 -> 0x3C2
0x7E3E -> 0x3CE
0x7E72 -> 0x3D8
0x7E73 -> 0x3D9
0x7E77 -> 0x3DB
0x7E7E -> 0x3DE
0x7EAF -> 0x3E7
0x7EB7 -> 0x3EB
0x7EE6 -> 0x3F2
0x7EEB -> 0x3F5
0x7EFA -> 0x3FC
0xA22B -> 0x405
0xA233 -> 0x409
0xA236 -> 0x40A
0xA237 -> 0x40B
0xA23E -> 0x40E
0xA262 -> 0x410
0xA26B -> 0x415
0xA26E -> 0x416
0xA276 -> 0x41A
0xA27F -> 0x41F
0xA2A3 -> 0x421
0xA2A7 -> 0x423
0xA2BB -> 0x42D
0xA2BE -> 0x42E
0xA2E6 -> 0x432
0xA2EA -> 0x434
0xA2EF -> 0x437
0xA2F3 -> 0x439
0xA2F7 -> 0x43B
0xA2FE -> 0x43E
0xA2FF -> 0x43F
0xA627 -> 0x443
0xA62F -> 0x447
0xA632 -> 0x448
0xA63A -> 0x44C
0xA66A -> 0x454
0xA66F -> 0x457
0xA673 -> 0x459
0xA67F -> 0x45F
0xA6A3 -> 0x461
0xA6A7 -> 0x463
0xA6AE -> 0x466
0xA6B2 -> 0x468
0xA6EB -> 0x475
0xA6EE -> 0x476
0xA6F2 -> 0x478
0xA6FE -> 0x47E
0xAA32 -> 0x488
0xAA36 -> 0x48A
0xAA37 -> 0x48B
0xAA62 -> 0x490
0xAA66 -> 0x492
0xAA67 -> 0x493
0xAA6E -> 0x496
0xAA72 -> 0x498
0xAA76 -> 0x49A
0xAA7F -> 0x49F
0xAAA7 -> 0x4A3
0xAAAE -> 0x4A6
0xAAB2 -> 0x4A8
0xAAB3 -> 0x4A9
0xAABA -> 0x4AC
0xAAE2 -> 0x4B0
0xAAE6 -> 0x4B2
0xAAEA -> 0x4B4
0xAAEF -> 0x4B7
0xAAFE -> 0x4BE
0xAE2B -> 0x4C5
0xAE2F -> 0x4C7
0xAE3E -> 0x4CE
0xAE3F -> 0x4CF
0xAE67 -> 0x4D3
0xAE6B -> 0x4D5
0xAE76 -> 0x4DA
0xAEAA -> 0x4E4
0xAEB2 -> 0x4E8
0xAEB3 -> 0x4E9
0xAEBA -> 0x4EC
0xAEBE -> 0x4EE
0xAEBF -> 0x4EF
0xAEE3 -> 0x4F1
0xAEEF -> 0x4F7
0xAEFA -> 0x4FC
0xAEFF -> 0x4FF
0xB227 -> 0x503
0xB26F -> 0x517
0xB272 -> 0x518
0xB27B -> 0x51D
0xB2A2 -> 0x520
0xB2AB -> 0x525
0xB2AE -> 0x526
0xB2B2 -> 0x528
0xB2BA -> 0x52C
0xB2BB -> 0x52D
0xB2E3 -> 0x531
0xB2EF -> 0x537
0xB623 -> 0x541
0xB626 -> 0x542
0xB636 -> 0x54A
0xB637 -> 0x54B
0xB63E -> 0x54E
0xB66A -> 0x554
0xB677 -> 0x55B
0xB67A -> 0x55C
0xB67F -> 0x55F
0xB6A2 -> 0x560
0xB6AA -> 0x564
0xB6B3 -> 0x569
0xB6BA -> 0x56C
0xB6BE -> 0x56E
0xB6E7 -> 0x573
0xB6EA -> 0x574
0xB6EB -> 0x575
0xB6EF -> 0x577
0xB6FE -> 0x57E
0xBA23 -> 0x581
0xBA2B -> 0x585
0xBA63 -> 0x591
0xBA66 -> 0x592
0xBA6E -> 0x596
0xBA72 -> 0x598
0xBA77 -> 0x59B
0xBA7E -> 0x59E
0xBAAA -> 0x5A4
0xBAB7 -> 0x5AB
0xBABF -> 0x5AF
0xBAE3 -> 0x5B1
0xBAE7 -> 0x5B3
0xBAEB -> 0x5B5
0xBAF7 -> 0x5BB
0xBAFA -> 0x5BC
0xBE26 -> 0x5C2
0xBE2A -> 0x5C4
0xBE3A -> 0x5CC
0xBE3B -> 0x5CD
0xBE63 -> 0x5D1
0xBE6B -> 0x5D5
0xBE73 -> 0x5D9
0xBE7F -> 0x5DF
0xBEA6 -> 0x5E2
0xBEA7 -> 0x5E3
0xBEAF -> 0x5E7
0xBEB3 -> 0x5E9
0xBEE2 -> 0x5F0
0xBEE3 -> 0x5F1
0xBEE6 -> 0x5F2
0xBEFB -> 0x5FD
0xE223 -> 0x601
0xE22E -> 0x606
0xE236 -> 0x60A
0xE263 -> 0x611
0xE267 -> 0x613
0xE2AB -> 0x625
0xE2AE -> 0x626
0xE2E6 -> 0x632
0xE2E7 -> 0x633
0xE2F6 -> 0x63A
0xE622 -> 0x640
0xE62F -> 0x647
0xE63A -> 0x64C
0xE66E -> 0x656
0xE67A -> 0x65C
0xE6A3 -> 0x661
0xE6B3 -> 0x669
0xE6F2 -> 0x678
0xE6FB -> 0x67D
0xE6FE -> 0x67E
0xE6FF -> 0x67F
0xEA27 -> 0x683
0xEA2A -> 0x684
0xEA36 -> 0x68A
0xEA66 -> 0x692
0xEA6A -> 0x694
0xEA6B -> 0x695
0xEA7E -> 0x69E
0xEAA6 -> 0x6A2
0xEAAA -> 0x6A4
0xEAAF -> 0x6A7
0xEAB7 -> 0x6AB
0xEABB -> 0x6AD
0xEABF -> 0x6AF
0xEAE3 -> 0x6B1
0xEAE6 -> 0x6B2
0xEAEF -> 0x6B7
0xEAF7 -> 0x6BB
0xEAFE -> 0x6BE
0xEAFF -> 0x6BF
0xEE26 -> 0x6C2
0xEE2F -> 0x6C7
0xEE37 -> 0x6CB
0xEE77 -> 0x6DB
0xEE7A -> 0x6DC
0xEE7F -> 0x6DF
0xEEB7 -> 0x6EB
0xEEE6 -> 0x6F2
0xEEE7 -> 0x6F3
0xEEF2 -> 0x6F8
0xEEFE -> 0x6FE
0xF227 -> 0x703
0xF22B -> 0x705
0xF233 -> 0x709
0xF237 -> 0x70B
0xF266 -> 0x712
0xF26A -> 0x714
0xF26B -> 0x715
0xF277 -> 0x71B
0xF2EF -> 0x737
0xF2FE -> 0x73E
0xF623 -> 0x741
0xF627 -> 0x743
0xF62B -> 0x745
0xF63A -> 0x74C
0xF663 -> 0x751
0xF666 -> 0x752
0xF66B -> 0x755
0xF66E -> 0x756
0xF673 -> 0x759
0xF67F -> 0x75F
0xF6A3 -> 0x761
0xF6AB -> 0x765
0xF6AE -> 0x766
0xF6AF -> 0x767
0xF6B6 -> 0x76A
0xF6BA -> 0x76C
0xF6F2 -> 0x778
0xF6F3 -> 0x779
0xF6FA -> 0x77C
0xF6FE -> 0x77E
0xFA23 -> 0x781
0xFA62 -> 0x790
0xFA67 -> 0x793
0xFA6A -> 0x794
0xFA6B -> 0x795
0xFA73 -> 0x799
0xFAAF -> 0x7A7
0xFABB -> 0x7AD
0xFAE2 -> 0x7B0
0xFAF6 -> 0x7BA
0xFAF7 -> 0x7BB
0xFAFA -> 0x7BC
0xFE2A -> 0x7C4
0xFE2F -> 0x7C7
0xFE3A -> 0x7CC
0xFE72 -> 0x7D8
0xFEA7 -> 0x7E3
0xFEBE -> 0x7EE
0xFEEA -> 0x7F4
0xFEF2 -> 0x7F8
0xFEF7 -> 0x7FB
0xFEFB -> 0x7FD

amidoinitrite?

[LordJZ]

The issue is getting the opCode. You need the opCode that is sent from the server. Not the one that is used to register the packet. For example, the server sends the packet with the opCode 0x2A27 that is decompressed (maybe not the best word but it does shit to it) by

newOpCode = opCode & 1 | ((opCode & 0x1C | (((opCode & 0xC0) | ((opCode & 0x1C00 | (opCode >> 1) & 0x6000) >> 2)) >> 1)) >> 1)

so newOpCode is 0x83 which gives us the encrypted address at
clientConnectionThing+0x83*4+0x560
which is 0x490EB86A.

Now we go
addr = 0x490EB86A- ((0x2A27 | (0x2A27 << 16)) ^ 0x62A3A31D)
and the handler/addr is 0x8a2f30

The annoying thing is that you don't know 0x2A27 until the packet is sent and afaik you cannot reverse the 0x2A27 -> 0x83 operation because the bit-wise AND's destroy information about the opCode.

Actually you *can* do this. My reference table is the proof of this. Though it is a bit more complicated than what you've described.

[MaiN]

Actually you *can* do this. My reference table is the proof of this. Though it is a bit more complicated than what you've described.

rofl, it's simple as hell.

[jjaa]

You do realize that by reverse the 0x2A27 -> 0x83 operation i meant to go from 0x83 -> 0x2A27......

[MaiN]

You do realize that by reverse the 0x2A27 -> 0x83 operation i meant to go from 0x83 -> 0x2A27......

And I just created a map that does just that. Find 0x83 in the list - does it appear twice? It's just reversing the two.

Code:

0x1 -> 0x303
0x3 -> 0x307
0x8 -> 0x341
0x9 -> 0x343
0x9 -> 0x2233
0xC -> 0x361
0xC -> 0x223A
0xD -> 0x363
0xD -> 0x223B
0xE -> 0x365
0xF -> 0x367
0x13 -> 0x707
0x14 -> 0x721
0x14 -> 0x226A
0x15 -> 0x723
0x16 -> 0x725
0x17 -> 0x226F
0x1A -> 0x2276
0x1C -> 0x761
0x1C -> 0x227A
0x21 -> 0xB03
0x22 -> 0xB05
0x23 -> 0xB07
0x24 -> 0xB21
0x24 -> 0x22AA
0x25 -> 0x22AB
0x26 -> 0xB25
0x26 -> 0x22AE
0x27 -> 0xB27
0x27 -> 0x22AF
0x2A -> 0x22B6
0x2B -> 0xB47
0x2C -> 0x22BA
0x2D -> 0xB63
0x2E -> 0xB65
0x30 -> 0xF01
0x32 -> 0xF05
0x38 -> 0xF41
0x39 -> 0x22F3
0x3C -> 0xF61
0x3D -> 0x22FB
0x3F -> 0x22FF
0x40 -> 0x1301
0x40 -> 0x2622
0x41 -> 0x1303
0x43 -> 0x1307
0x43 -> 0x2627
0x48 -> 0x2632
0x4D -> 0x263B
0x51 -> 0x1703
0x52 -> 0x1705
0x52 -> 0x2666
0x54 -> 0x1721
0x5D -> 0x267B
0x61 -> 0x26A3
0x65 -> 0x1B23
0x67 -> 0x26AF
0x68 -> 0x1B41
0x6A -> 0x1B45
0x6A -> 0x26B6
0x6B -> 0x1B47
0x6D -> 0x1B63
0x73 -> 0x1F07
0x74 -> 0x26EA
0x75 -> 0x26EB
0x76 -> 0x1F25
0x76 -> 0x26EE
0x77 -> 0x26EF
0x78 -> 0x1F41
0x7A -> 0x1F45
0x7A -> 0x26F6
0x7C -> 0x1F61
0x7D -> 0x1F63
0x7D -> 0x26FB
0x7F -> 0x26FF
0x80 -> 0x4301
0x81 -> 0x4303
0x83 -> 0x2A27
0x83 -> 0x4307
0x84 -> 0x4321
0x86 -> 0x4325
0x87 -> 0x4327
0x88 -> 0x4341
0x8A -> 0x4345
0x8B -> 0x2A37
0x8B -> 0x4347
0x8C -> 0x4361
0x8F -> 0x2A3F
0x8F -> 0x4367
0x90 -> 0x4701
0x92 -> 0x4705
0x93 -> 0x4707
0x95 -> 0x2A6B
0x95 -> 0x4723
0x96 -> 0x4725
0x98 -> 0x4741
0x99 -> 0x4743
0x9A -> 0x2A76
0x9B -> 0x4747
0x9C -> 0x2A7A
0x9E -> 0x4765
0x9F -> 0x2A7F
0xA2 -> 0x4B05
0xA4 -> 0x2AAA
0xA7 -> 0x4B27
0xAA -> 0x4B45
0xAB -> 0x2AB7
0xAC -> 0x2ABA
0xAD -> 0x4B63
0xAF -> 0x2ABF
0xAF -> 0x4B67
0xB0 -> 0x4F01
0xB4 -> 0x4F21
0xBB -> 0x2AF7
0xBC -> 0x4F61
0xBD -> 0x4F63
0xBF -> 0x2AFF
0xBF -> 0x4F67
0xC0 -> 0x5301
0xC1 -> 0x5303
0xC2 -> 0x5305
0xC4 -> 0x5321
0xC5 -> 0x5323
0xC8 -> 0x5341
0xCC -> 0x2E3A
0xCD -> 0x5363
0xCE -> 0x2E3E
0xCE -> 0x5365
0xCF -> 0x2E3F
0xCF -> 0x5367
0xD1 -> 0x5703
0xD2 -> 0x2E66
0xD3 -> 0x2E67
0xD4 -> 0x5721
0xD5 -> 0x5723
0xD6 -> 0x2E6E
0xD7 -> 0x5727
0xD8 -> 0x5741
0xD9 -> 0x5743
0xDC -> 0x2E7A
0xDD -> 0x5763
0xDF -> 0x5767
0xE0 -> 0x2EA2
0xE0 -> 0x5B01
0xE1 -> 0x5B03
0xE3 -> 0x2EA7
0xE4 -> 0x2EAA
0xE5 -> 0x5B23
0xE7 -> 0x5B27
0xE8 -> 0x5B41
0xEA -> 0x5B45
0xEC -> 0x5B61
0xED -> 0x2EBB
0xF3 -> 0x2EE7
0xF4 -> 0x2EEA
0xF5 -> 0x5F23
0xF8 -> 0x5F41
0xFA -> 0x5F45
0xFD -> 0x2EFB
0x102 -> 0x8305
0x103 -> 0x3227
0x103 -> 0x8307
0x106 -> 0x322E
0x108 -> 0x3232
0x108 -> 0x8341
0x10D -> 0x8363
0x10F -> 0x8367
0x113 -> 0x8707
0x114 -> 0x8721
0x115 -> 0x326B
0x115 -> 0x8723
0x116 -> 0x326E
0x116 -> 0x8725
0x117 -> 0x326F
0x119 -> 0x8743
0x11A -> 0x3276
0x11B -> 0x8747
0x11E -> 0x8765
0x11F -> 0x327F
0x11F -> 0x8767
0x123 -> 0x8B07
0x124 -> 0x8B21
0x125 -> 0x8B23
0x129 -> 0x32B3
0x12A -> 0x8B45
0x131 -> 0x8F03
0x132 -> 0x8F05
0x133 -> 0x32E7
0x133 -> 0x8F07
0x135 -> 0x8F23
0x136 -> 0x8F25
0x137 -> 0x8F27
0x138 -> 0x8F41
0x13B -> 0x32F7
0x13B -> 0x8F47
0x13D -> 0x8F63
0x141 -> 0x3623
0x141 -> 0x9303
0x142 -> 0x3626
0x142 -> 0x9305
0x143 -> 0x9307
0x144 -> 0x362A
0x146 -> 0x9325
0x148 -> 0x3632
0x148 -> 0x9341
0x14B -> 0x9347
0x14D -> 0x9363
0x150 -> 0x9701
0x154 -> 0x366A
0x154 -> 0x9721
0x155 -> 0x9723
0x15C -> 0x367A
0x15E -> 0x9765
0x15F -> 0x367F
0x15F -> 0x9767
0x160 -> 0x36A2
0x165 -> 0x36AB
0x16A -> 0x9B45
0x16B -> 0x9B47
0x16C -> 0x36BA
0x16C -> 0x9B61
0x171 -> 0x9F03
0x172 -> 0x36E6
0x175 -> 0x9F23
0x179 -> 0x9F43
0x17A -> 0x36F6
0x17C -> 0x9F61
0x17D -> 0x9F63
0x17E -> 0x9F65
0x180 -> 0xC301
0x181 -> 0xC303
0x182 -> 0xC305
0x183 -> 0xC307
0x184 -> 0x3A2A
0x184 -> 0xC321
0x186 -> 0xC325
0x188 -> 0x3A32
0x189 -> 0xC343
0x18A -> 0x3A36
0x18B -> 0xC347
0x18C -> 0x3A3A
0x191 -> 0x3A63
0x192 -> 0xC705
0x193 -> 0xC707
0x196 -> 0xC725
0x197 -> 0xC727
0x199 -> 0x3A73
0x199 -> 0xC743
0x19A -> 0x3A76
0x19D -> 0xC763
0x19F -> 0xC767
0x1A4 -> 0xCB21
0x1A6 -> 0xCB25
0x1A7 -> 0xCB27
0x1A8 -> 0xCB41
0x1A9 -> 0xCB43
0x1AA -> 0xCB45
0x1AB -> 0x3AB7
0x1AB -> 0xCB47
0x1AD -> 0xCB63
0x1AE -> 0x3ABE
0x1AF -> 0x3ABF
0x1B0 -> 0xCF01
0x1B1 -> 0xCF03
0x1B4 -> 0xCF21
0x1B5 -> 0xCF23
0x1B6 -> 0x3AEE
0x1B8 -> 0x3AF2
0x1B8 -> 0xCF41
0x1B9 -> 0x3AF3
0x1B9 -> 0xCF43
0x1BD -> 0xCF63
0x1BE -> 0xCF65
0x1BF -> 0xCF67
0x1C1 -> 0xD303
0x1C2 -> 0xD305
0x1C5 -> 0xD323
0x1C6 -> 0x3E2E
0x1C6 -> 0xD325
0x1C7 -> 0xD327
0x1C9 -> 0xD343
0x1CA -> 0x3E36
0x1CC -> 0xD361
0x1CE -> 0x3E3E
0x1D0 -> 0xD701
0x1D1 -> 0xD703
0x1D3 -> 0x3E67
0x1D5 -> 0x3E6B
0x1D6 -> 0xD725
0x1D7 -> 0x3E6F
0x1D7 -> 0xD727
0x1D9 -> 0xD743
0x1DA -> 0x3E76
0x1DA -> 0xD745
0x1DC -> 0xD761
0x1E0 -> 0xDB01
0x1E1 -> 0xDB03
0x1E2 -> 0xDB05
0x1E3 -> 0xDB07
0x1E4 -> 0xDB21
0x1E5 -> 0xDB23
0x1E7 -> 0x3EAF
0x1E8 -> 0xDB41
0x1EA -> 0x3EB6
0x1EB -> 0xDB47
0x1EC -> 0xDB61
0x1EE -> 0x3EBE
0x1EE -> 0xDB65
0x1F0 -> 0x3EE2
0x1F2 -> 0xDF05
0x1F4 -> 0xDF21
0x1F7 -> 0xDF27
0x1F8 -> 0x3EF2
0x1F9 -> 0x3EF3
0x1F9 -> 0xDF43
0x1FC -> 0x3EFA
0x1FD -> 0x3EFB
0x1FD -> 0xDF63
0x1FE -> 0xDF65
0x205 -> 0x622B
0x206 -> 0x622E
0x20C -> 0x623A
0x21C -> 0x627A
0x22C -> 0x62BA
0x22F -> 0x62BF
0x232 -> 0x62E6
0x23D -> 0x62FB
0x23E -> 0x62FE
0x245 -> 0x662B
0x24A -> 0x6636
0x24F -> 0x663F
0x250 -> 0x6662
0x252 -> 0x6666
0x256 -> 0x666E
0x258 -> 0x6672
0x259 -> 0x6673
0x25B -> 0x6677
0x261 -> 0x66A3
0x265 -> 0x66AB
0x266 -> 0x66AE
0x267 -> 0x66AF
0x269 -> 0x66B3
0x26F -> 0x66BF
0x270 -> 0x66E2
0x279 -> 0x66F3
0x27C -> 0x66FA
0x27D -> 0x66FB
0x280 -> 0x6A22
0x281 -> 0x6A23
0x284 -> 0x6A2A
0x287 -> 0x6A2F
0x28A -> 0x6A36
0x29D -> 0x6A7B
0x2A1 -> 0x6AA3
0x2A2 -> 0x6AA6
0x2A6 -> 0x6AAE
0x2AA -> 0x6AB6
0x2AB -> 0x6AB7
0x2AC -> 0x6ABA
0x2B7 -> 0x6AEF
0x2BA -> 0x6AF6
0x2BE -> 0x6AFE
0x2BF -> 0x6AFF
0x2C9 -> 0x6E33
0x2CD -> 0x6E3B
0x2D0 -> 0x6E62
0x2D4 -> 0x6E6A
0x2D7 -> 0x6E6F
0x2D9 -> 0x6E73
0x2DA -> 0x6E76
0x2DD -> 0x6E7B
0x2E6 -> 0x6EAE
0x2E7 -> 0x6EAF
0x2EC -> 0x6EBA
0x2EF -> 0x6EBF
0x2F0 -> 0x6EE2
0x2F2 -> 0x6EE6
0x2F3 -> 0x6EE7
0x2F4 -> 0x6EEA
0x300 -> 0x7222
0x304 -> 0x722A
0x30A -> 0x7236
0x30B -> 0x7237
0x314 -> 0x726A
0x317 -> 0x726F
0x319 -> 0x7273
0x31A -> 0x7276
0x31B -> 0x7277
0x31E -> 0x727E
0x31F -> 0x727F
0x321 -> 0x72A3
0x323 -> 0x72A7
0x324 -> 0x72AA
0x32F -> 0x72BF
0x333 -> 0x72E7
0x334 -> 0x72EA
0x33C -> 0x72FA
0x341 -> 0x7623
0x342 -> 0x7626
0x347 -> 0x762F
0x34E -> 0x763E
0x353 -> 0x7667
0x355 -> 0x766B
0x356 -> 0x766E
0x357 -> 0x766F
0x362 -> 0x76A6
0x363 -> 0x76A7
0x364 -> 0x76AA
0x36A -> 0x76B6
0x36E -> 0x76BE
0x371 -> 0x76E3
0x373 -> 0x76E7
0x376 -> 0x76EE
0x37A -> 0x76F6
0x37E -> 0x76FE
0x383 -> 0x7A27
0x384 -> 0x7A2A
0x385 -> 0x7A2B
0x387 -> 0x7A2F
0x38A -> 0x7A36
0x38E -> 0x7A3E
0x397 -> 0x7A6F
0x39B -> 0x7A77
0x3A0 -> 0x7AA2
0x3A5 -> 0x7AAB
0x3AE -> 0x7ABE
0x3B2 -> 0x7AE6
0x3B4 -> 0x7AEA
0x3BA -> 0x7AF6
0x3BC -> 0x7AFA
0x3BE -> 0x7AFE
0x3C2 -> 0x7E26
0x3CE -> 0x7E3E
0x3D8 -> 0x7E72
0x3D9 -> 0x7E73
0x3DB -> 0x7E77
0x3DE -> 0x7E7E
0x3E7 -> 0x7EAF
0x3EB -> 0x7EB7
0x3F2 -> 0x7EE6
0x3F5 -> 0x7EEB
0x3FC -> 0x7EFA
0x405 -> 0xA22B
0x409 -> 0xA233
0x40A -> 0xA236
0x40B -> 0xA237
0x40E -> 0xA23E
0x410 -> 0xA262
0x415 -> 0xA26B
0x416 -> 0xA26E
0x41A -> 0xA276
0x41F -> 0xA27F
0x421 -> 0xA2A3
0x423 -> 0xA2A7
0x42D -> 0xA2BB
0x42E -> 0xA2BE
0x432 -> 0xA2E6
0x434 -> 0xA2EA
0x437 -> 0xA2EF
0x439 -> 0xA2F3
0x43B -> 0xA2F7
0x43E -> 0xA2FE
0x43F -> 0xA2FF
0x443 -> 0xA627
0x447 -> 0xA62F
0x448 -> 0xA632
0x44C -> 0xA63A
0x454 -> 0xA66A
0x457 -> 0xA66F
0x459 -> 0xA673
0x45F -> 0xA67F
0x461 -> 0xA6A3
0x463 -> 0xA6A7
0x466 -> 0xA6AE
0x468 -> 0xA6B2
0x475 -> 0xA6EB
0x476 -> 0xA6EE
0x478 -> 0xA6F2
0x47E -> 0xA6FE
0x488 -> 0xAA32
0x48A -> 0xAA36
0x48B -> 0xAA37
0x490 -> 0xAA62
0x492 -> 0xAA66
0x493 -> 0xAA67
0x496 -> 0xAA6E
0x498 -> 0xAA72
0x49A -> 0xAA76
0x49F -> 0xAA7F
0x4A3 -> 0xAAA7
0x4A6 -> 0xAAAE
0x4A8 -> 0xAAB2
0x4A9 -> 0xAAB3
0x4AC -> 0xAABA
0x4B0 -> 0xAAE2
0x4B2 -> 0xAAE6
0x4B4 -> 0xAAEA
0x4B7 -> 0xAAEF
0x4BE -> 0xAAFE
0x4C5 -> 0xAE2B
0x4C7 -> 0xAE2F
0x4CE -> 0xAE3E
0x4CF -> 0xAE3F
0x4D3 -> 0xAE67
0x4D5 -> 0xAE6B
0x4DA -> 0xAE76
0x4E4 -> 0xAEAA
0x4E8 -> 0xAEB2
0x4E9 -> 0xAEB3
0x4EC -> 0xAEBA
0x4EE -> 0xAEBE
0x4EF -> 0xAEBF
0x4F1 -> 0xAEE3
0x4F7 -> 0xAEEF
0x4FC -> 0xAEFA
0x4FF -> 0xAEFF
0x503 -> 0xB227
0x517 -> 0xB26F
0x518 -> 0xB272
0x51D -> 0xB27B
0x520 -> 0xB2A2
0x525 -> 0xB2AB
0x526 -> 0xB2AE
0x528 -> 0xB2B2
0x52C -> 0xB2BA
0x52D -> 0xB2BB
0x531 -> 0xB2E3
0x537 -> 0xB2EF
0x541 -> 0xB623
0x542 -> 0xB626
0x54A -> 0xB636
0x54B -> 0xB637
0x54E -> 0xB63E
0x554 -> 0xB66A
0x55B -> 0xB677
0x55C -> 0xB67A
0x55F -> 0xB67F
0x560 -> 0xB6A2
0x564 -> 0xB6AA
0x569 -> 0xB6B3
0x56C -> 0xB6BA
0x56E -> 0xB6BE
0x573 -> 0xB6E7
0x574 -> 0xB6EA
0x575 -> 0xB6EB
0x577 -> 0xB6EF
0x57E -> 0xB6FE
0x581 -> 0xBA23
0x585 -> 0xBA2B
0x591 -> 0xBA63
0x592 -> 0xBA66
0x596 -> 0xBA6E
0x598 -> 0xBA72
0x59B -> 0xBA77
0x59E -> 0xBA7E
0x5A4 -> 0xBAAA
0x5AB -> 0xBAB7
0x5AF -> 0xBABF
0x5B1 -> 0xBAE3
0x5B3 -> 0xBAE7
0x5B5 -> 0xBAEB
0x5BB -> 0xBAF7
0x5BC -> 0xBAFA
0x5C2 -> 0xBE26
0x5C4 -> 0xBE2A
0x5CC -> 0xBE3A
0x5CD -> 0xBE3B
0x5D1 -> 0xBE63
0x5D5 -> 0xBE6B
0x5D9 -> 0xBE73
0x5DF -> 0xBE7F
0x5E2 -> 0xBEA6
0x5E3 -> 0xBEA7
0x5E7 -> 0xBEAF
0x5E9 -> 0xBEB3
0x5F0 -> 0xBEE2
0x5F1 -> 0xBEE3
0x5F2 -> 0xBEE6
0x5FD -> 0xBEFB
0x601 -> 0xE223
0x606 -> 0xE22E
0x60A -> 0xE236
0x611 -> 0xE263
0x613 -> 0xE267
0x625 -> 0xE2AB
0x626 -> 0xE2AE
0x632 -> 0xE2E6
0x633 -> 0xE2E7
0x63A -> 0xE2F6
0x640 -> 0xE622
0x647 -> 0xE62F
0x64C -> 0xE63A
0x656 -> 0xE66E
0x65C -> 0xE67A
0x661 -> 0xE6A3
0x669 -> 0xE6B3
0x678 -> 0xE6F2
0x67D -> 0xE6FB
0x67E -> 0xE6FE
0x67F -> 0xE6FF
0x683 -> 0xEA27
0x684 -> 0xEA2A
0x68A -> 0xEA36
0x692 -> 0xEA66
0x694 -> 0xEA6A
0x695 -> 0xEA6B
0x69E -> 0xEA7E
0x6A2 -> 0xEAA6
0x6A4 -> 0xEAAA
0x6A7 -> 0xEAAF
0x6AB -> 0xEAB7
0x6AD -> 0xEABB
0x6AF -> 0xEABF
0x6B1 -> 0xEAE3
0x6B2 -> 0xEAE6
0x6B7 -> 0xEAEF
0x6BB -> 0xEAF7
0x6BE -> 0xEAFE
0x6BF -> 0xEAFF
0x6C2 -> 0xEE26
0x6C7 -> 0xEE2F
0x6CB -> 0xEE37
0x6DB -> 0xEE77
0x6DC -> 0xEE7A
0x6DF -> 0xEE7F
0x6EB -> 0xEEB7
0x6F2 -> 0xEEE6
0x6F3 -> 0xEEE7
0x6F8 -> 0xEEF2
0x6FE -> 0xEEFE
0x703 -> 0xF227
0x705 -> 0xF22B
0x709 -> 0xF233
0x70B -> 0xF237
0x712 -> 0xF266
0x714 -> 0xF26A
0x715 -> 0xF26B
0x71B -> 0xF277
0x737 -> 0xF2EF
0x73E -> 0xF2FE
0x741 -> 0xF623
0x743 -> 0xF627
0x745 -> 0xF62B
0x74C -> 0xF63A
0x751 -> 0xF663
0x752 -> 0xF666
0x755 -> 0xF66B
0x756 -> 0xF66E
0x759 -> 0xF673
0x75F -> 0xF67F
0x761 -> 0xF6A3
0x765 -> 0xF6AB
0x766 -> 0xF6AE
0x767 -> 0xF6AF
0x76A -> 0xF6B6
0x76C -> 0xF6BA
0x778 -> 0xF6F2
0x779 -> 0xF6F3
0x77C -> 0xF6FA
0x77E -> 0xF6FE
0x781 -> 0xFA23
0x790 -> 0xFA62
0x793 -> 0xFA67
0x794 -> 0xFA6A
0x795 -> 0xFA6B
0x799 -> 0xFA73
0x7A7 -> 0xFAAF
0x7AD -> 0xFABB
0x7B0 -> 0xFAE2
0x7BA -> 0xFAF6
0x7BB -> 0xFAF7
0x7BC -> 0xFAFA
0x7C4 -> 0xFE2A
0x7C7 -> 0xFE2F
0x7CC -> 0xFE3A
0x7D8 -> 0xFE72
0x7E3 -> 0xFEA7
0x7EE -> 0xFEBE
0x7F4 -> 0xFEEA
0x7F8 -> 0xFEF2
0x7FB -> 0xFEF7
0x7FD -> 0xFEFB

Here, reversed the output of my program and added the opcodes in the first check in NetClient::Process.

EDIT: Sorted by unscrambled index. As you can see, there are a few collisions - this is when there both exists a scrambled opcode which causes it to dispatch the packet in the first way:

Code:

  if ( (a3 & 0x2399) == 0x301 )
  {
    result = sub_25A870((void *)_this, 0, a2, a3, v4);
  }

And an other scrambled opcode which causes it to dispatch the packets the way you showed above. In both ways the scrambled opcode maps to the same unscrambled index, and you get a collision.

[jjaa]

And I just created a map that does just that. Find 0x83 in the list - does it appear twice? It's just reversing the two.

Yes, but you used 0x2A27 to get to 0x83 (right?). My point is that by looking at where a function is registered, in this case clientConnectionThing+0x83*4+0x560 (without any dynamically obtained information) you cannot tell what the opCode (from the server) is going to be or where the handler is, because that requires the opCode.

[MaiN]

Yes, but you used 0x2A27 to get to 0x83 (right?). My point is that by looking at where a function is registered, in this case clientConnectionThing+0x83*4+0x560 (without any dynamically obtained information) you cannot tell what the opCode (from the server) is going to be or where the handler is, because that requires the opCode.

I did and verified it with the client. You can also use 0x83 to get to 0x2A27, but you will also be able to use 0x83 to get to a whole lot of other scrambled opcodes that seem valid without checking the client.

EDIT: Actually I lied, 0x83 is one of the few that doesn't have multiple scrambled equivalents. But a lot of them do.

[jjaa]

Interesting, so, out of curiosity, what is your method for dumping all of the OpCodes?

[LordJZ]

MaiN, my table and yours are different. The thing you've done is simple, now try getting your own copy of my table. Cheers!